Electronic marketplaces, such as the person-to-person trading system pioneered by eBay, Inc., have become a well-known way to buy and sell goods and services via the Internet. Typical electronic marketplace systems allow sellers to enter a description of the item or service they wish to offer through an online auction. This item description may be in text or HTML format and is then stored on the electronic marketplace system. When a prospective buyer wishes to view the item (or service) that is being offered, he directs his web browser to download and display the appropriate item listing web page from the electronic marketplace system.
The item listing web page typically is an HTML document that includes not only the seller's item description but also other content provided by the electronic marketplace service. FIG. 1 shows an example of such a web page. In addition to the item description 114, the item listing document may include, e.g., an item title 100 (“Sample Item for Sale”), a minimum starting bid 102, the time remaining before the auction ends 104, the auction start time 106, the bid history 108, the item location 110, the shipping summary 112, detailed instructions concerning shipping and handling 116, payment methods accepted 118, legal disclaimers 120, an item number 122, and seller information 124 such as the seller's feedback rating.
As noted above, the item listing web page is normally an HTML document that includes not only content provided by the electronic marketplace service, but also the seller-provided item description, which may itself contain executable code, e.g., HTML code. For example, the item description 114 on FIG. 1 (“***Sample HTML item description***”) was produced by the following HTML code:
<br> * * *<br> <b>Sample HTML item description</b><br> * * *Thus, the web browser on the potential buyer's computer “renders” both the service-provided HTML content and the seller-provided HTML content.
There is, however, an undesirable byproduct of permitting sellers to describe their items or services using embedded code. For example, a malicious seller might include HTML code that makes use of malicious HTML tags or scripts to alter the content provided by the auction service. For example, a malicious seller might attempt to replace a particular logo with a different image or try to divert private information that a potential buyer might provide to the auction service (e.g., cookie information).
These risks associated with embedded code have been widely recognized among web site providers. For example, the Department of Energy's Computer Incident Advisory Capability has reported that “[m]ost web browsers have the capability to interpret scripts embedded in web pages downloaded from a web server. Such scripts may be written in a variety of scripting languages and are run by the client's browser . . . . In addition to scripting tags, other HTML tags . . . have the potential to be abused by an attacker . . . to alter the appearance of the page, insert unwanted or offensive images or sounds, or otherwise interfere with the intended appearance and behaviour of the page.” CIAC Information Bulletin K-021.
An approach that is conventionally used to address the risks associated with embedded content is to filter out potentially malicious code from within the embedded content. For example, a filter program might search the embedded code for <script> </script> HTML tags and delete any code that lies between the tags. A difficulty with this approach, however, is that a filter program may still fail to eliminate all of the potentially dangerous characters in the embedded code. Alternatively, the filter program may filter out too much material. In the above example, the filter program would prevent any and all scripts whatsoever from executing, including scripts that may be desirable or beneficial.
Thus, a long-felt need exists for a way to display both trusted content (e.g., the auction-service HTML content) and untrusted content (e.g., the seller-provided HTML content), while at the same time preventing the untrusted content from modifying or manipulating the trusted content.